臺灣博碩士論文加值系統

OAuth協定可以讓使用者授權其他第三方單位存取自己存放在他處之受保管資料，為目前跨服務間資料存取的標準。許多大型服務商像是Google、Facebook等資源提供者都有透過OAuth機制實作出各自的授權服務讓資源需求者可以在使用者同意的情況下，存取使用者在該服務的資源。這些授權服務中資源提供者需先識別使用者的身分與驗證使用者同意授權的資訊，而後，資源需求者便能從資源提供者處取得使用者所同意給予的資料。然而，在這過程中，資源提供者常被賦予管控資源需求者的責任，因此會提高管理成本。在目前資料可攜的要求下，一些中小型的服務業者也需要提供資料時，就會面臨到管控這些資源需求者的問題。此時，如果能夠將對於使用者和資源需求者的身分鑑別與授權獨立出來，由較大的機構負責，就可以在減少資源提供者管理成本的情況下，維持一定品質的安全性。然而，OAuth過去並沒有針對這樣的情境作考量，以致於在資源提供者將授權的檢查交由其他單位負責時，需要透過各自建立的驗證方式來確認資源需求者的要求是否已經被核准。此外，在牽涉使用者、資源需求者、授權管理單位、資源提供者多方間的資料交換時，需要保留完整的紀錄以解決在對分享資源之授權內容認知不一致時產生的爭議。
本研究定義在跨單位資訊存取時驗證交換資訊，且透過區塊鏈與智能合約技術記錄相關請求與授權資訊之方法。透過區塊鏈作為不可竄改的分散式資料庫，方便在第三方單位要求授權時與資料擁有者同意時留下相關證據以利日後審查權責。不過區塊鏈的透明公開性可能危害資料擁有者本身的隱私，因此本研究也將資料擁有者之隱私納入考量，在區塊鏈中資料擁有者訊息皆為加密狀態，避免透漏出資料擁有者之資訊。最後以小型測試環境來實作本研究方法，使OAuth在跨領域溝通時透過本研究方法可達到完善的驗證機制。

OAuth protocol is a cross-domain data exchange standard, which allows users to authorize the third-party to access their protected data. Many large-scale service providers like Google and Facebook, use the OAuth protocol to implement their own authorization services. In the authorization services, the resource providers first need to identify the user’s identity and verify the user’s consent, and then the data consumers can obtain the information from the resource providers. However, resource providers are often in charge of managing the data consumers so that will increase management costs. For example, some small or medium-scale service providers need to provide data but it is difficult to manage those data consumers. Hence, if the abilities of identification and authorization could be separated from the user and the data consumers, and the large-scale organizations are responsible for previous functionalities. It can not only maintain the quality of security, but decrease resource providers’ management cost. However, it is not mentioned before by OAuth protocol that the previous situations are not considered. Therefore, when the resource providers transfer the verification of the users’ authorization to other departments, it is necessary to confirm whether the requirements of the data consumers have been approved by the methods established respectively. In addition, it is necessary to be maintained by entire records to resolve the dispute which users, data consumers, authorization services and resource providers have different cognitions, when the data exchange between all roles.
This paper proposes a method that verify the data exchanged on cross-domain, and record related requests and authorization information through the Blockchain technology and Smart Contract. Using the Blockchain as a non-tamperable and decentralized database, which is trustful to store third-party request authorization and users’ agreement. The relevant evidences are useful to review of responsibilities in the future.However, the transparency of the Blockchain may invade privacy of users. Therefore, in this paper, we consider the issues of users’ privacy. In the Blockchain, all the users’ information is encrypted, so it could avoid revealing the privacy of users. In the end, we implemented a prototype experiment and performance the method of this paper, so the modified OAuth protocol could achieve a better verification mechanism on cross-domain.

摘要 I
ABSTRACT II
誌謝 III
目錄 IV
圖目錄 VI
表目錄 VII
符號表 VIII
第1章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的與貢獻 3
1.3 章節介紹 4
第2章 文獻探討與背景知識 5
2.1 區塊鏈 5
2.2 智能合約 7
2.3 OAUTH 8
第3章 問題情境與需求分析 11
3.1 問題情境 11
3.2 需求分析 11
第4章 利用區塊鏈強化OAUTH機制之方法 12
4.1 方法概述 12
4.2 方法流程 14
第5章 方法之實驗驗證與實驗分析 18
5.1 系統環境 18
5.2 流程驗證 20
5.2.1 請求授權 20
5.2.2 授權 21
5.2.3 獲取資料 22
5.3 效能驗證 23
第6章 需求驗證 24
6.1 OAUTH角色間資料驗證 24
6.2 記錄請求與同意資訊 24
6.3 安全與隱私考量 25
第7章 結論 27
7.1 結論 27
7.2 未來研究方向 27
參考文獻 28

[1] B. Leiba, "OAuth Web Authorization Protocol," IEEE Internet Computing, vol. 16, no. 1, pp. 74-77, 2012.
[2] Blockgeeks. 17 Blockchain Applications That Are Transforming Society. Available:
https://blockgeeks.com/guides/blockchain-applications/
[3] M. Atzori. (2015). Blockchain Technology and Decentralized Governance: Is the State Still Necessary? Available: https://ssrn.com/abstract=2709713
[4] V. Gatteschi, F. Lamberti, C. Demartini, C. Pranteda, and V. Santamaría, "To Blockchain or Not to Blockchain: That Is the Question," IT Professional, vol. 20, no. 2, pp. 62-74, 2018.
[5] H. Halaburda, "Blockchain revolution without the blockchain? %J Commun. ACM," vol. 61, no. 7, pp. 27-29, 2018.
[6] M. J. M. Chowdhury, A. Colman, M. A. Kabir, J. Han, and P. Sarda, "Blockchain as a Notarization Service for Data Sharing with Personal Data Store," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018, pp. 1330-1335.
[7] B. K. Mohanta, S. S. Panda, and D. Jena, "An Overview of Smart Contract and Use Cases in Blockchain Technology," in 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT), 2018, pp. 1-4: IEEE.
[8] Ambisafe. Smart Contracts: 10 Use Cases for Business. Available: https://ambisafe.com/blog/smart-contracts-10-use-cases-business/
[9] Microsoft. (2012). The OAuth 2.0 Authorization Framework. Available: https://tools.ietf.org/html/rfc6749
[10] L. K. Ho and N. Katuk, "Social login with OAuth for mobile applications: User's view," in 2016 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), 2016, pp. 89-94.
[11] S. Sciancalepore, G. Piro, D. Caldarola, G. Boggia, and G. Bianchi, "OAuth-IoT: An access control framework for the Internet of Things based on open standards," in 2017 IEEE Symposium on Computers and Communications (ISCC), 2017, pp. 676-681.
[12] M. V.S., "Use of Elliptic Curves in Cryptography.," In: Williams H.C. (eds) Advances in Cryptology — CRYPTO ’85 Proceedings. CRYPTO 1985. Lecture Notes in Computer Science, vol 218. Springer, Berlin, Heidelberg.
[13] S. Rouhani and R. Deters, "Performance analysis of ethereum transactions in private blockchain," in 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), 2017, pp. 70-74.
[14] D. Lin. (2019). 行政院宣布——智慧政府新計畫：台灣政府要用區塊鏈技術，建立各機關資料的交換機制. Available: https://www.blocktempo.com/taiwan-gv-want-to-use-blockchain-tech-build-data/?fbclid=IwAR1ZVw9fvQjIjfHFkhFhsyu5n4g8pJpijZ6UOsCMA3asdBGhiiMoX2YD1uY